From fa728ff0d303af6eea59ec614b9ce822c3f29db1 Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Wed, 17 Sep 2025 14:08:47 -0400
Subject: [PATCH 1/6] In cockroach-debug-zip.md, added cluster settings
 redaction to --redact flag and example.

---
 src/current/v25.4/cockroach-debug-zip.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index 3390d7f0e61..58a476a7c4e 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -115,7 +115,7 @@ Flag | Description
 `--include-range-info` | Include one file per node with information about the KV ranges stored on that node, in `nodes/{node ID}/ranges.json`.<br /><br />This information can be vital when debugging issues that involve the [KV layer]({% link {{ page.version.version }}/architecture/overview.md %}#layers) (which includes everything below the SQL layer), such as data placement, load balancing, performance or other behaviors. In certain situations, on large clusters with large numbers of ranges, these files can be omitted if and only if the issue being investigated is already known to be in another layer of the system (for example, an error message about an unsupported feature or incompatible value in a SQL schema change or statement). However, many higher-level issues are ultimately related to the underlying KV layer described by these files. Only set this to `false` if directed to do so by Cockroach Labs support.<br /><br />In addition, include problem ranges information in `reports/problemranges.json`.<br /><br />**Default:** true
 `--include-running-job-traces` | Include information about each traceable job that is running or reverting (such as [backup]({% link {{ page.version.version }}/backup.md %}), [restore]({% link {{ page.version.version }}/restore.md %}), [import]({% link {{ page.version.version }}/import-into.md %}), [physical cluster replication]({% link {{ page.version.version }}/physical-cluster-replication-technical-overview.md %})) in `jobs/*/*/trace.zip` files. This involves collecting cluster-wide traces for each running job in the cluster.<br /><br />**Default:** true
 `--nodes` | Specify nodes to inspect as a comma-separated list or range of node IDs. For example:<br /><br />`--nodes=1,10,13-15`
-<a id="redact"></a>`--redact` | Redact sensitive data from the generated `.zip`, with the exception of range keys, which must remain unredacted because they are essential to support CockroachDB. This flag replaces the deprecated `--redact-logs` flag, which only applied to log messages contained within `.zip`.<br><br>To redact hostnames and IP addresses in `.json` files, such as `status.json`, `details.json`, and `ranges.json`, you will also need to enable the [cluster setting `debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled). Note that enabling this cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.<br><br>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
+<a id="redact"></a>`--redact` | Redact sensitive data from the generated `.zip`, with the exception of range keys, which must remain unredacted because they are essential to support CockroachDB. This flag replaces the deprecated `--redact-logs` flag, which only applied to log messages contained within `.zip`.<br><br>Cluster settings marked as "sensitive" are always redacted in the `crdb_internal.cluster_settings.txt` file, regardless of whether the `--redact` flag is used. When the `--redact` flag is used, "non-reportable" settings with non-default values are also redacted.<br><br>To redact hostnames and IP addresses in `.json` files, such as `status.json`, `details.json`, and `ranges.json`, you will also need to enable the [cluster setting `debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled). Note that enabling this cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.<br><br>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
 `--redact-logs` | **Deprecated** Redact sensitive data from collected log files only. Use the `--redact` flag instead, which redacts sensitive data across the entire generated `.zip` as well as the collected log files. Passing the `--redact-logs` flag will be interpreted as the `--redact` flag.
 `--timeout` | In the process of generating a debug zip, many internal requests are made. Each request is allowed the maximum duration specified by the timeout. If an internal request does not complete within the timeout duration, an error is displayed for that request and its artifact is not included in the zip file.<br /><br />The timeout is suffixed with `s` (seconds), `m` (minutes), or `h` (hours).<br /><br />**Default:** `60s`
 `--validate-zip-file` | Validate debug zip file after generation. This is a quick check to validate whether the generated zip file is valid and not corrupted.<br /><br />**Default:** `true`
@@ -197,6 +197,25 @@ $ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host
 server/server.go:1423 ⋮ password of user ‹×› was set to ‹×›
 ~~~
 
+#### Cluster settings redaction
+
+Example of a cluster setting in `crdb_internal.cluster_settings.txt` without redaction enabled:
+
+~~~
+cluster.organization	Cockroach Labs Testing	s	t	f	f	organization name		override
+~~~
+
+Enable log redaction:
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+$ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host=200.100.50.25
+~~~
+
+~~~
+cluster.organization	<redacted>	s	t	f	f	organization name		override
+~~~
+
 #### Hostname and IP address redaction
 
 Example of `status.json` without hostname and IP address redaction enabled:

From 71e1eb2decf1cb769770205dc19db91659240f0d Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Wed, 17 Sep 2025 15:48:08 -0400
Subject: [PATCH 2/6] In cockroach-debug-zip.md, added
 cluster_settings_history.txt to --redact flag.

---
 src/current/v25.4/cockroach-debug-zip.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index 58a476a7c4e..f4c48bce00a 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -115,7 +115,7 @@ Flag | Description
 `--include-range-info` | Include one file per node with information about the KV ranges stored on that node, in `nodes/{node ID}/ranges.json`.<br /><br />This information can be vital when debugging issues that involve the [KV layer]({% link {{ page.version.version }}/architecture/overview.md %}#layers) (which includes everything below the SQL layer), such as data placement, load balancing, performance or other behaviors. In certain situations, on large clusters with large numbers of ranges, these files can be omitted if and only if the issue being investigated is already known to be in another layer of the system (for example, an error message about an unsupported feature or incompatible value in a SQL schema change or statement). However, many higher-level issues are ultimately related to the underlying KV layer described by these files. Only set this to `false` if directed to do so by Cockroach Labs support.<br /><br />In addition, include problem ranges information in `reports/problemranges.json`.<br /><br />**Default:** true
 `--include-running-job-traces` | Include information about each traceable job that is running or reverting (such as [backup]({% link {{ page.version.version }}/backup.md %}), [restore]({% link {{ page.version.version }}/restore.md %}), [import]({% link {{ page.version.version }}/import-into.md %}), [physical cluster replication]({% link {{ page.version.version }}/physical-cluster-replication-technical-overview.md %})) in `jobs/*/*/trace.zip` files. This involves collecting cluster-wide traces for each running job in the cluster.<br /><br />**Default:** true
 `--nodes` | Specify nodes to inspect as a comma-separated list or range of node IDs. For example:<br /><br />`--nodes=1,10,13-15`
-<a id="redact"></a>`--redact` | Redact sensitive data from the generated `.zip`, with the exception of range keys, which must remain unredacted because they are essential to support CockroachDB. This flag replaces the deprecated `--redact-logs` flag, which only applied to log messages contained within `.zip`.<br><br>Cluster settings marked as "sensitive" are always redacted in the `crdb_internal.cluster_settings.txt` file, regardless of whether the `--redact` flag is used. When the `--redact` flag is used, "non-reportable" settings with non-default values are also redacted.<br><br>To redact hostnames and IP addresses in `.json` files, such as `status.json`, `details.json`, and `ranges.json`, you will also need to enable the [cluster setting `debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled). Note that enabling this cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.<br><br>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
+<a id="redact"></a>`--redact` | Redact sensitive data from the generated `.zip`, with the exception of range keys, which must remain unredacted because they are essential to support CockroachDB. This flag replaces the deprecated `--redact-logs` flag, which only applied to log messages contained within `.zip`.<br><br>Cluster settings marked as "sensitive" are always redacted in the `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt` files, regardless of whether the `--redact` flag is used. When the `--redact` flag is used, the non-default values of "non-reportable" settings are also redacted.<br><br>To redact hostnames and IP addresses in `.json` files, such as `status.json`, `details.json`, and `ranges.json`, you will also need to enable the [cluster setting `debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled). Note that enabling this cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.<br><br>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
 `--redact-logs` | **Deprecated** Redact sensitive data from collected log files only. Use the `--redact` flag instead, which redacts sensitive data across the entire generated `.zip` as well as the collected log files. Passing the `--redact-logs` flag will be interpreted as the `--redact` flag.
 `--timeout` | In the process of generating a debug zip, many internal requests are made. Each request is allowed the maximum duration specified by the timeout. If an internal request does not complete within the timeout duration, an error is displayed for that request and its artifact is not included in the zip file.<br /><br />The timeout is suffixed with `s` (seconds), `m` (minutes), or `h` (hours).<br /><br />**Default:** `60s`
 `--validate-zip-file` | Validate debug zip file after generation. This is a quick check to validate whether the generated zip file is valid and not corrupted.<br /><br />**Default:** `true`

From eb8f9f788a940118a8f6d2741aebfddba617e696 Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Wed, 17 Sep 2025 16:26:22 -0400
Subject: [PATCH 3/6] In cockroach-debug-zip.md, fixed example.

---
 src/current/v25.4/cockroach-debug-zip.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index f4c48bce00a..520b2706e5a 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -202,6 +202,8 @@ server/server.go:1423 ⋮ password of user ‹×› was set to ‹×›
 Example of a cluster setting in `crdb_internal.cluster_settings.txt` without redaction enabled:
 
 ~~~
+variable	value	type	public	sensitive	reportable	description	default_value	origin
+...
 cluster.organization	Cockroach Labs Testing	s	t	f	f	organization name		override
 ~~~
 
@@ -213,6 +215,8 @@ $ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host
 ~~~
 
 ~~~
+variable	value	type	public	sensitive	reportable	description	default_value	origin
+...
 cluster.organization	<redacted>	s	t	f	f	organization name		override
 ~~~
 

From d3f91db6b47811d1673f6f2697045bddc3f17b32 Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Fri, 26 Sep 2025 13:03:54 -0400
Subject: [PATCH 4/6] =?UTF-8?q?Incorporated=20Kyle=E2=80=99s=20feedback.?=
 =?UTF-8?q?=20Replaced=20tabs=20with=20spaces=20to=20line=20up=20example?=
 =?UTF-8?q?=20code=20results.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/current/v25.4/cockroach-debug-zip.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index 520b2706e5a..c4cdafc54c5 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -199,12 +199,12 @@ server/server.go:1423 ⋮ password of user ‹×› was set to ‹×›
 
 #### Cluster settings redaction
 
-Example of a cluster setting in `crdb_internal.cluster_settings.txt` without redaction enabled:
+Example of a non-reportable cluster setting in `crdb_internal.cluster_settings.txt` without redaction enabled:
 
 ~~~
-variable	value	type	public	sensitive	reportable	description	default_value	origin
+variable             value                  type public sensitive reportable description       default_value origin
 ...
-cluster.organization	Cockroach Labs Testing	s	t	f	f	organization name		override
+cluster.organization Cockroach Labs Testing s    t      f         f          organization name               override
 ~~~
 
 Enable log redaction:
@@ -214,10 +214,12 @@ Enable log redaction:
 $ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host=200.100.50.25
 ~~~
 
+A non-reportable cluster setting in `crdb_internal.cluster_settings.txt` with redaction enabled:
+
 ~~~
-variable	value	type	public	sensitive	reportable	description	default_value	origin
+variable             value      type public sensitive reportable description       default_value origin
 ...
-cluster.organization	<redacted>	s	t	f	f	organization name		override
+cluster.organization <redacted> s    t      f         f          organization name               override
 ~~~
 
 #### Hostname and IP address redaction

From aa1280a989d50c4ccd0aa5d6b034de8062d2d0c9 Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Fri, 26 Sep 2025 17:14:19 -0400
Subject: [PATCH 5/6] =?UTF-8?q?Incorporated=20Ryan=E2=80=99s=20feedback.?=
 =?UTF-8?q?=20Expanded=20--redact=20flag=20description=20and=20Cluster=20s?=
 =?UTF-8?q?ettings=20redaction=20example.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/current/v25.4/cockroach-debug-zip.md | 26 ++++++++++++++++--------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index c4cdafc54c5..7391a181fe6 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -115,8 +115,8 @@ Flag | Description
 `--include-range-info` | Include one file per node with information about the KV ranges stored on that node, in `nodes/{node ID}/ranges.json`.<br /><br />This information can be vital when debugging issues that involve the [KV layer]({% link {{ page.version.version }}/architecture/overview.md %}#layers) (which includes everything below the SQL layer), such as data placement, load balancing, performance or other behaviors. In certain situations, on large clusters with large numbers of ranges, these files can be omitted if and only if the issue being investigated is already known to be in another layer of the system (for example, an error message about an unsupported feature or incompatible value in a SQL schema change or statement). However, many higher-level issues are ultimately related to the underlying KV layer described by these files. Only set this to `false` if directed to do so by Cockroach Labs support.<br /><br />In addition, include problem ranges information in `reports/problemranges.json`.<br /><br />**Default:** true
 `--include-running-job-traces` | Include information about each traceable job that is running or reverting (such as [backup]({% link {{ page.version.version }}/backup.md %}), [restore]({% link {{ page.version.version }}/restore.md %}), [import]({% link {{ page.version.version }}/import-into.md %}), [physical cluster replication]({% link {{ page.version.version }}/physical-cluster-replication-technical-overview.md %})) in `jobs/*/*/trace.zip` files. This involves collecting cluster-wide traces for each running job in the cluster.<br /><br />**Default:** true
 `--nodes` | Specify nodes to inspect as a comma-separated list or range of node IDs. For example:<br /><br />`--nodes=1,10,13-15`
-<a id="redact"></a>`--redact` | Redact sensitive data from the generated `.zip`, with the exception of range keys, which must remain unredacted because they are essential to support CockroachDB. This flag replaces the deprecated `--redact-logs` flag, which only applied to log messages contained within `.zip`.<br><br>Cluster settings marked as "sensitive" are always redacted in the `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt` files, regardless of whether the `--redact` flag is used. When the `--redact` flag is used, the non-default values of "non-reportable" settings are also redacted.<br><br>To redact hostnames and IP addresses in `.json` files, such as `status.json`, `details.json`, and `ranges.json`, you will also need to enable the [cluster setting `debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled). Note that enabling this cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.<br><br>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
-`--redact-logs` | **Deprecated** Redact sensitive data from collected log files only. Use the `--redact` flag instead, which redacts sensitive data across the entire generated `.zip` as well as the collected log files. Passing the `--redact-logs` flag will be interpreted as the `--redact` flag.
+<a id="redact"></a>`--redact` | Redact sensitive data in the generated `.zip` file. This flag replaces the deprecated [`--redact-logs`](#redact-logs) flag.<br><br>This flag redacts the following data:<ul><li>Sensitive data in log messages. Refer to [Log redaction](#log-redaction) for an example.</li><li>Non-default values of cluster settings marked as **not** `reportable` in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. Refer to [Cluster settings redactions](#cluster-settings-redaction) for an example.</li><li>Hostnames and IP addresses in `.json` files (such as `status.json`, `details.json`, and `ranges.json`) when the cluster setting [`debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled) is enabled. Refer to [Hostname and IP address redaction](#hostname-and-ip-address-redaction) for an example.</li></ul>This flag does **not** affect the following data:<ul><li>Range keys are **never** redacted because they are essential for CockroachDB support.</li><li>Cluster settings marked as `sensitive` are **always** redacted in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. For an example, refer to [Cluster settings redactions](#cluster-settings-redaction).</li><li>Some hostnames and IP addresses in the `nodes.json` and `gossip.json` files are **never** redacted, even when `debug.zip.redact_addresses.enabled` is enabled.</li></ul>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
+<a id="redact-logs"></a>`--redact-logs` | **Deprecated** Redact sensitive data from collected log files only. Use the `--redact` flag instead, which redacts sensitive data across the entire generated `.zip` as well as the collected log files. Passing the `--redact-logs` flag will be interpreted as the `--redact` flag.
 `--timeout` | In the process of generating a debug zip, many internal requests are made. Each request is allowed the maximum duration specified by the timeout. If an internal request does not complete within the timeout duration, an error is displayed for that request and its artifact is not included in the zip file.<br /><br />The timeout is suffixed with `s` (seconds), `m` (minutes), or `h` (hours).<br /><br />**Default:** `60s`
 `--validate-zip-file` | Validate debug zip file after generation. This is a quick check to validate whether the generated zip file is valid and not corrupted.<br /><br />**Default:** `true`
 
@@ -199,14 +199,18 @@ server/server.go:1423 ⋮ password of user ‹×› was set to ‹×›
 
 #### Cluster settings redaction
 
-Example of a non-reportable cluster setting in `crdb_internal.cluster_settings.txt` without redaction enabled:
+Example cluster settings in `crdb_internal.cluster_settings.txt` without redaction enabled:
 
 ~~~
-variable             value                  type public sensitive reportable description       default_value origin
+variable                          value                  type public sensitive reportable description                                   default_value origin
 ...
-cluster.organization Cockroach Labs Testing s    t      f         f          organization name               override
+cluster.organization              Cockroach Labs Testing s    t      f         f          organization name                                           override
+...
+server.identity_map.configuration <redacted>             s    t      t         f          system-identity to database-username mappings               default
 ~~~
 
+`server.identity_map.configuration` is redacted since `sensitive` equals `true`.
+
 Enable log redaction:
 
 {% include_cached copy-clipboard.html %}
@@ -214,14 +218,18 @@ Enable log redaction:
 $ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host=200.100.50.25
 ~~~
 
-A non-reportable cluster setting in `crdb_internal.cluster_settings.txt` with redaction enabled:
+Cluster settings in `crdb_internal.cluster_settings.txt` with redaction enabled:
 
 ~~~
-variable             value      type public sensitive reportable description       default_value origin
+variable                          value      type public sensitive reportable description                                    default_value origin
 ...
-cluster.organization <redacted> s    t      f         f          organization name               override
+cluster.organization              <redacted> s    t      f         f          organization name                                            override
+...
+server.identity_map.configuration <redacted> s    t      t         f          system-identity to database-username mappings                default
 ~~~
 
+`server.identity_map.configuration` is still redacted. `cluster.organization` is now redacted since `reportable` equals `false` and the value of `Cockroach Labs Testing` does not equal the default (in this case, the empty string).
+
 #### Hostname and IP address redaction
 
 Example of `status.json` without hostname and IP address redaction enabled:
@@ -251,7 +259,7 @@ SET CLUSTER SETTING debug.zip.redact_addresses.enabled = true;
 Enabling the `debug.zip.redact_addresses.enabled` cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.
 {{site.data.alerts.end}}
 
-Then, generate `.zip` with log redaction as well as hostname and IP address redaction:
+Then, generate `.zip` with redaction enabled:
 
 {% include_cached copy-clipboard.html %}
 ~~~ shell

From be604845ef9440949390fe1cca329c3416c61748 Mon Sep 17 00:00:00 2001
From: Florence Morris <florence@cockroachlabs.com>
Date: Fri, 3 Oct 2025 16:52:54 -0400
Subject: [PATCH 6/6] =?UTF-8?q?Incorporated=20Ryan=E2=80=99s=20feedback.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/current/v25.4/cockroach-debug-zip.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/current/v25.4/cockroach-debug-zip.md b/src/current/v25.4/cockroach-debug-zip.md
index 7391a181fe6..6bdf18b4627 100644
--- a/src/current/v25.4/cockroach-debug-zip.md
+++ b/src/current/v25.4/cockroach-debug-zip.md
@@ -115,7 +115,7 @@ Flag | Description
 `--include-range-info` | Include one file per node with information about the KV ranges stored on that node, in `nodes/{node ID}/ranges.json`.<br /><br />This information can be vital when debugging issues that involve the [KV layer]({% link {{ page.version.version }}/architecture/overview.md %}#layers) (which includes everything below the SQL layer), such as data placement, load balancing, performance or other behaviors. In certain situations, on large clusters with large numbers of ranges, these files can be omitted if and only if the issue being investigated is already known to be in another layer of the system (for example, an error message about an unsupported feature or incompatible value in a SQL schema change or statement). However, many higher-level issues are ultimately related to the underlying KV layer described by these files. Only set this to `false` if directed to do so by Cockroach Labs support.<br /><br />In addition, include problem ranges information in `reports/problemranges.json`.<br /><br />**Default:** true
 `--include-running-job-traces` | Include information about each traceable job that is running or reverting (such as [backup]({% link {{ page.version.version }}/backup.md %}), [restore]({% link {{ page.version.version }}/restore.md %}), [import]({% link {{ page.version.version }}/import-into.md %}), [physical cluster replication]({% link {{ page.version.version }}/physical-cluster-replication-technical-overview.md %})) in `jobs/*/*/trace.zip` files. This involves collecting cluster-wide traces for each running job in the cluster.<br /><br />**Default:** true
 `--nodes` | Specify nodes to inspect as a comma-separated list or range of node IDs. For example:<br /><br />`--nodes=1,10,13-15`
-<a id="redact"></a>`--redact` | Redact sensitive data in the generated `.zip` file. This flag replaces the deprecated [`--redact-logs`](#redact-logs) flag.<br><br>This flag redacts the following data:<ul><li>Sensitive data in log messages. Refer to [Log redaction](#log-redaction) for an example.</li><li>Non-default values of cluster settings marked as **not** `reportable` in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. Refer to [Cluster settings redactions](#cluster-settings-redaction) for an example.</li><li>Hostnames and IP addresses in `.json` files (such as `status.json`, `details.json`, and `ranges.json`) when the cluster setting [`debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled) is enabled. Refer to [Hostname and IP address redaction](#hostname-and-ip-address-redaction) for an example.</li></ul>This flag does **not** affect the following data:<ul><li>Range keys are **never** redacted because they are essential for CockroachDB support.</li><li>Cluster settings marked as `sensitive` are **always** redacted in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. For an example, refer to [Cluster settings redactions](#cluster-settings-redaction).</li><li>Some hostnames and IP addresses in the `nodes.json` and `gossip.json` files are **never** redacted, even when `debug.zip.redact_addresses.enabled` is enabled.</li></ul>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
+<a id="redact"></a>`--redact` | Redact sensitive data in the generated `.zip` file. This flag replaces the deprecated [`--redact-logs`](#redact-logs) flag.<br><br>This flag redacts the following data:<ul><li>Sensitive data in log messages. Refer to [Log redaction](#log-redaction) for an example.</li><li>Non-default values of cluster settings marked as **not** `reportable` in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. Refer to [Cluster settings redaction](#cluster-settings-redaction) for an example.</li><li>Hostnames and IP addresses in `.json` files (such as `status.json`, `details.json`, and `ranges.json`) when the cluster setting [`debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled) is enabled. Refer to [Hostname and IP address redaction](#hostname-and-ip-address-redaction) for an example.</li></ul>This flag does **not** affect the following data:<ul><li>Range keys are **never** redacted because they are essential for CockroachDB support.</li><li>Cluster settings marked as `sensitive` are **always** redacted in `crdb_internal.cluster_settings.txt` and `cluster_settings_history.txt`. For an example, refer to [Cluster settings redaction](#cluster-settings-redaction).</li><li>Some hostnames and IP addresses in the `nodes.json` and `gossip.json` files are **never** redacted, even when `debug.zip.redact_addresses.enabled` is enabled.</li></ul>For examples, refer to [Redact sensitive information](#redact-sensitive-information).
 <a id="redact-logs"></a>`--redact-logs` | **Deprecated** Redact sensitive data from collected log files only. Use the `--redact` flag instead, which redacts sensitive data across the entire generated `.zip` as well as the collected log files. Passing the `--redact-logs` flag will be interpreted as the `--redact` flag.
 `--timeout` | In the process of generating a debug zip, many internal requests are made. Each request is allowed the maximum duration specified by the timeout. If an internal request does not complete within the timeout duration, an error is displayed for that request and its artifact is not included in the zip file.<br /><br />The timeout is suffixed with `s` (seconds), `m` (minutes), or `h` (hours).<br /><br />**Default:** `60s`
 `--validate-zip-file` | Validate debug zip file after generation. This is a quick check to validate whether the generated zip file is valid and not corrupted.<br /><br />**Default:** `true`
@@ -180,7 +180,7 @@ $ cockroach debug zip ./cockroach-data/logs/debug.zip --include-files=*.log
 
 #### Log redaction
 
-Example of a log string without redaction enabled:
+Example of a log string without [`--redact`](#redact) enabled:
 
 ~~~
 server/server.go:1423 ⋮ password of user ‹admin› was set to ‹"s3cr34?!@x_"›
@@ -199,7 +199,7 @@ server/server.go:1423 ⋮ password of user ‹×› was set to ‹×›
 
 #### Cluster settings redaction
 
-Example cluster settings in `crdb_internal.cluster_settings.txt` without redaction enabled:
+Example cluster settings in `crdb_internal.cluster_settings.txt` without [`--redact`](#redact) enabled:
 
 ~~~
 variable                          value                  type public sensitive reportable description                                   default_value origin
@@ -209,7 +209,7 @@ cluster.organization              Cockroach Labs Testing s    t      f         f
 server.identity_map.configuration <redacted>             s    t      t         f          system-identity to database-username mappings               default
 ~~~
 
-`server.identity_map.configuration` is redacted since `sensitive` equals `true`.
+`server.identity_map.configuration` is always redacted, since `sensitive` equals `true`.
 
 Enable log redaction:
 
@@ -218,7 +218,7 @@ Enable log redaction:
 $ cockroach debug zip ./cockroach-data/logs/debug.zip --redact --insecure --host=200.100.50.25
 ~~~
 
-Cluster settings in `crdb_internal.cluster_settings.txt` with redaction enabled:
+Cluster settings in `crdb_internal.cluster_settings.txt` with [`--redact`](#redact) enabled:
 
 ~~~
 variable                          value      type public sensitive reportable description                                    default_value origin
@@ -228,7 +228,7 @@ cluster.organization              <redacted> s    t      f         f          or
 server.identity_map.configuration <redacted> s    t      t         f          system-identity to database-username mappings                default
 ~~~
 
-`server.identity_map.configuration` is still redacted. `cluster.organization` is now redacted since `reportable` equals `false` and the value of `Cockroach Labs Testing` does not equal the default (in this case, the empty string).
+`server.identity_map.configuration` is still redacted. `cluster.organization` is now redacted since `reportable` equals `false` and the `Cockroach Labs Testing` value is not the default value (in this case, the empty string).
 
 #### Hostname and IP address redaction
 
@@ -248,7 +248,7 @@ Example of `status.json` without hostname and IP address redaction enabled:
 }
 ~~~
 
-First, [enable the cluster setting]({% link {{ page.version.version }}/set-cluster-setting.md %}):
+Enable hostname and IP address redaction with the [`debug.zip.redact_addresses.enabled`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-debug-zip-redact-addresses-enabled) cluster setting:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
@@ -256,10 +256,10 @@ SET CLUSTER SETTING debug.zip.redact_addresses.enabled = true;
 ~~~
 
 {{site.data.alerts.callout_info}}
-Enabling the `debug.zip.redact_addresses.enabled` cluster setting will not redact all hostnames and IP addresses in the `nodes.json` and `gossip.json` files.
+Some hostnames and IP addresses in the `nodes.json` and `gossip.json` files are **never** redacted, even when `debug.zip.redact_addresses.enabled` is enabled.
 {{site.data.alerts.end}}
 
-Then, generate `.zip` with redaction enabled:
+Generate `.zip` with [`--redact`](#redact) enabled:
 
 {% include_cached copy-clipboard.html %}
 ~~~ shell